Get the latest security news in your inbox.

Viva Las Vegas! We aliens have landed at AWS re:Invent 2018 (Booth #1506), bringing phenomenal threat detection, response, and compliance to the AWS cloud. As I gear up for a full day of live product demos, I thought I’d take a moment to highlight some of the ways in which AlienVault is delivering phenomenal security to our customers’ AWS environments and beyond.

In 2018, we’ve expanded the number of AWS services that USM Anywhere monitors to include Amazon GuardDuty, Amazon Macie, AWS Application Load Balancer, Amazon Redshift, AWS Lambda invocations, AWS Web Application Firewall, and Amazon API Gateway. This is in addition to the other services we monitor and alert on, including AWS CloudTrail, Amazon S3 access logs, Amazon ELB access logs, Amazon VPC flow logs, AWS Config, Amazon CloudFront, and Amazon CloudWatch. Expanding our AWS threat coverage continues to be a priority for us as more and more customers undergo digital transformations and begin to leverage cloud services and applications to run their businesses. USM Anywhere continuously and automatically monitors AWS infrastructure for threats and anomalous behaviors, assesses your AWS environment for vulnerabilities and configuration errors, and simplifies logging and reporting—all from one cloud-hosted platform.

What’s more, USM Anywhere centralizes security monitoring across AWS, multi-cloud, hybrid, and on-premises networks, including SaaS applications like Office 365 and G Suite, ensuring continuous coverage even as you migrate workloads and data from the network to the cloud and helping to eliminate security blind spots. This single-pane-of-glass approach alleviates the need to invest in multiple, siloed security monitoring tools for clouds, networks, and data centers, as John Chesser, Director of Cybersecurity Solutions at DataPath, a certified AlienVault MSSP, pointed out. “There's time, money, resources that are impacted by having to use the multitude of products out there. With USM Anywhere, I've got it all."

As part of the continuous threat intelligence subscription built into USM Anywhere, the AlienVault Labs Security Research team maintains an AWS-specific correlation rule set. Threat actors are increasingly targeting insecure cloud accounts to access exposed data or set up cryptojacking operations. Once an attacker has gained access to your AWS account, their actions and behaviors may be unique or specific to the environment, such as programmatically spinning up new services. It’s not enough to rely on traditional threat intelligence, which focuses on network threats rather than cloud-specific attacks. That’s why the AlienVault Labs Security Research Team curates AWS-specific threat intelligence, researching and analyzing millions of security events every day using a combination of machine learning, human analysis, and the community-sourced threat data of the AlienVault Open Threat Exchange (OTX) and its 100,000+ global participants.

Here are a few examples of AWS-specific correlation rules added in 2018:

The password associated with an administrator of a Windows instance was retrieved through the AWS console, which may indicate compromised credentials

An EC2 instance in your AWS environment is querying a domain name associated with a known command and control server

The machine is behaving in a way that deviates from the established baseline; it has no history of sending this much traffic, suggesting it might be compromised

A request for temporary security credentials has been followed by the removal of multiple API Keys, a technique malicious actors use to maintain persistence and prevent the owner of the AWS account from regaining access

A new AWS user account is deleting multiple user accounts in a short period of time, which could be malicious attackers trying to disrupt incident response efforts

The automatic and continuous threat intelligence updates from the AlienVault Labs Security Research Team enables USM Anywhere customers to keep up with the latest cloud security threats with minimal effort. As John Chesser noted, “Ultimately, with that integration of the threat intelligence, I haven't had to take information from a third party and try to integrate that. I'm not having to jump to some other product to do it. It's all there together.”

We’re adding another layer of AWS threat detection with the AlienVault Agent.

Earlier this year, AlienVault announced the addition of the AlienVault Agent, a lightweight endpoint agent based on osquery that enables endpoint detection and response (EDR) capabilities in USM Anywhere. When deployed to endpoints within an AWS environment, the AlienVault Agent provides host-based intrusion detection and file integrity monitoring capabilities that are not possible through CloudTrail. Whereas CloudTrail provides visibility into activity that occurs at the management level, such as when someone creates a file in an S3 Bucket or spins up a new service, the Agent can reveal system-level information such as which users are logging in, which files are being created, and which modifications and configurations are being modified. This helps USM Anywhere detect activity like persistence by malware and attackers.

In combination, CloudTrail monitoring and the AlienVault Agent provide a multi-layered approach to threat detection in USM Anywhere. For example, let’s look at how USM Anywhere helps users detect cryptojacking. Often, an attacker will use compromised AWS credentials to gain access to an AWS environment and begin to consume your resources for cryptomining activities. USM Anywhere detects this activity through CloudTrail event logs. However, another common cryptomining attack method comes with a sneaky twist that’s much more difficult to detect. Instead of spinning up new resources that can be detected through CloudTrail monitoring, an attacker might compromise existing instances within an AWS environment, perhaps through a web vulnerability or SSH. While CloudTrail can’t provide visibility of what’s happening on the system itself, the AlienVault Agent can still detect these exploits with its endpoint visibility.

We work hard to provide powerful cloud security for AWS environments, and our customers reap the benefits. For Jason Harper, CEO and Founder of CeloPay, a payment processing technology company whose offering is built entirely in AWS, using USM Anywhere has been a game-changer. “I am thrilled with USM Anywhere,” Harper said. “The platform’s centralized log management consolidates and parses CeloPay’s millions of data points to provide full security visibility, which has reduced our PCI DSS compliance reporting time from eight weeks or more to one week.”

Overall, it’s been a great year for AWS security with USM Anywhere, and I’m proud to share the work we’ve done to help keep your AWS environments secure. Join us at AWS re:Invent #1506 this week to learn more about how AlienVault secures customers' AWS environments.

About the Author:Julia Kisielius, AlienVaultJulia joined AlienVault as a Product Marketing Manager in February 2017. Previously, she was a product manager at Giving Docs, an early-stage startup that makes fundraising software for nonprofits. Before that, she worked on data products and processes to help Tufts University fundraisers raise more than $80M per year. Julia started her career at an asset management firm with $200M under management, where she researched, edited, fact-checked, and promoted financial literacy resources such as books and columns. She graduated from the University of Connecticut with a B.A. in English.
Read more posts from Julia Kisielius ›